Many services that require user authentication deploy security measures against account compromise. Such existing security measures include checking whether a given user is logged in from a recognized device or location. While the nature of authentication data commonly precludes observation of the source of an authentication attempt within an enterprise network, the origin of a login, being within the enterprise network, is trusted information.
Multiple challenges exist in analyzing authentication log data. For example, there exists a semantic gap between what is recorded in the logs and the actual authentication activity that took place (for instance, there are at least 31 different Windows® authentication messages describing user logins). Also, domain controller logs can be extremely noisy. In addition to users entering passwords, it is also common for automated processes on hosts, such as email clients, to request authentication and authorization on behalf of a user. Further, new users and machines are continuously introduced into the enterprise network, and the activities corresponding thereto, though technically new, are often not anomalous.
Additionally, yet another challenge includes the presence and/or introduction of new logins via existing users accessing machines that those users have not previously accessed. Accordingly, a need exists for techniques to identify and analyze destination machines accessed by a given user that are unusual for that user.